Update module github.com/argoproj/argo-cd/v2 to v2.12.10 [SECURITY] #166
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
ℹ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
renovate
bot
changed the title
renovate
bot
deleted the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
39fcd97 to
b1c5fc9
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
e053e89 to
b1c5fc9
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
baee4d7 to
b1c5fc9
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
d217627 to
b1c5fc9
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
7766848 to
b1c5fc9
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
9c0c504 to
b1c5fc9
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
9764023 to
b1c5fc9
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
9ac0d81 to
b1c5fc9
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
4dc406b to
b1c5fc9
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v2.12.0->v2.12.10GitHub Vulnerability Alerts
CVE-2025-23216
Impact
A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository.
The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.
Patches
A patch for this vulnerability is available in the following Argo CD versions:
Workarounds
There is no workaround other than upgrading.
References
Fixed with commit argoproj/argo-cd@6f5537b & argoproj/gitops-engine@7e21b91
Release Notes
argoproj/argo-cd (github.com/argoproj/argo-cd/v2)
v2.12.10Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Bug fixes
c26ee69: fix(appset): events not honouring configured namespaces (#21219) (#21241) (#21521) (@eadred)4ba830f: fix: resolve the failing e2e appset tests for ksonnet applications (cherry-pick #21580) (#21606) (@gcp-cherry-pick-bot[bot])Documentation
84ace16: docs: add mkdocs configuration stanza to .readthedocs.yaml (cherry-pick #21475) (#21610) (@gcp-cherry-pick-bot[bot])Dependency updates
b6e1080: chore(deps): bump go-git version to go-git/v5 5.13.1 (#21550) (@aali309)Other work
a9d8027: Merge commit from fork (@svghadi)Full Changelog: argoproj/argo-cd@v2.12.9...v2.12.10
v2.12.9Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Bug fixes
041133a: fix(api): send to closed channel in mergeLogStreams (#7006) (#21178) (#21188) (@gcp-cherry-pick-bot[bot])6934ace: fix: CVE-2024-21538 upgrading the indirect dependency cross-spawn to 7.0.5 (#21156) (@nmirasch)Full Changelog: argoproj/argo-cd@v2.12.8...v2.12.9
v2.12.8Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Bug fixes
05c1dd7: fix: 20791 - sync multi-source application out of order source syncs (cherry-pick #21071) (#21078) (@gcp-cherry-pick-bot[bot])60d0786: fix: Allow to delete repos with invalid urls (#20921) (#20975) (#21117) (@gcp-cherry-pick-bot[bot])7642db8: fix: add missing fields in listrepositories (#20991) (#21128) (@blakepettersson)Dependency updates
b32d50d: chore(deps): bump http-proxy-middleware from 2.0.4 to 2.0.7 in /ui (#20518) (#20891) (@gcp-cherry-pick-bot[bot])Other work
57cef1d: Add missing 2.12 upgrade to nav menu (#20657) (@fletch3555)Full Changelog: argoproj/argo-cd@v2.12.7...v2.12.8
v2.12.7Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Features
db5876f: feat: support using exponential backoff between self heal attempts (#20275) (#20479) (@alexmt)Bug fixes
e48878b: fix(diff): avoid cache miss in server-side diff (#20605) (#20609) (@gcp-cherry-pick-bot[bot])a41f868: fix(ui): fix create app panel reappear after closed (#19717) (#20507) (@gcp-cherry-pick-bot[bot])cacb06a: fix: check err before use schedule and duration (#20043) (#20371) (@daengdaengLee)32ef2e5: fix: support managing cluster with multiple argocd instances and annotation based tracking (#20222) (#20482) (@alexmt)Documentation
0cae929: docs(rbac): clarify glob pattern behavior for fine-grain RBAC (#20624) (#20627) (@gcp-cherry-pick-bot[bot])Full Changelog: argoproj/argo-cd@v2.12.6...v2.12.7
v2.12.6Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Bug fixes
68f63e7: fix(diff): avoid cache miss in server-side diff (#20423) (#20424) (#20450) (@gcp-cherry-pick-bot[bot])358930b: fix: don't disable buttons for multi-source apps (#20446) (#20448) (@gcp-cherry-pick-bot[bot])Full Changelog: argoproj/argo-cd@v2.12.5...v2.12.6
v2.12.5Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Bug fixes
53bb2e4: fix(ci): handle new k3s test version matrix (#20223) (#20427) (#20434) (@gcp-cherry-pick-bot[bot])3ff57d2: fix(cli): cherrypick Redis password fix #19599 into 2.12 (#20262) (@NetanelK)6e6857e: fix(ui): source can in fact beundefined(#20381) (#20420) (@blakepettersson)e2eb54c: fix: cherrypick semver fix #20096 into 2.12 (#20215) (@PaulSonOfLars)50271e1: fix: prevent crash during timer expiration after stream is closed (#19917) (#20271) (@agaudreault)Documentation
ee4f09e: docs(ui): sorting version (#20181) (#20204) (@gcp-cherry-pick-bot[bot])Other work
a05b042: chore(tests): fix erroneous cherry-pick (#20274) (@crenshaw-dev)5f5fb0d: fix(controller/ui): fix pod with sidecar state (#19843) (#20394) (@linghaoSu)Full Changelog: argoproj/argo-cd@v2.12.4...v2.12.5
v2.12.4Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Bug fixes
1568165: fix(appset): Fix perpetual appset reconciliation (#19822) (#19995) (@gcp-cherry-pick-bot[bot])b76a09e: fix: CVE-2024-45296 Backtracking regular expressions cause ReDoS by upgrading path-to-regexp from 1.8.0 to 1.9.0 (#20087) (#20090) (@gcp-cherry-pick-bot[bot])d56ef76: fix: diffing should not fail if resource fail schema validation (#19714) (#19729) (@gcp-cherry-pick-bot[bot])Documentation
02b8336: docs: note cluster scoping changes in 2.12x (#19684) (#19702) (@gcp-cherry-pick-bot[bot])Dependency updates
ff3ef71: cherry-pick chore(deps-dev): bump webpack from 5.84.1 to 5.94.0 in /ui (#20056) (@ishitasequeira)08fe6f5: chore(deps): bump dompurify from 2.3.6 to 2.5.6 in /ui (#19955) (#20016) (@gcp-cherry-pick-bot[bot])8590550: chore(deps): bump express from 4.19.2 to 4.20.0 in /ui (#19883) (#19987) (@chengfang)Full Changelog: argoproj/argo-cd@v2.12.3...v2.12.4
v2.12.3Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Features
343dec0: feat(sourceNamespace): Regex Support (#19016) (#19017) (#19664) (@gcp-cherry-pick-bot[bot])Bug fixes
cafd35c: fix(AnyNameSpaceRegex): Additional Functions Glob to Regexexp (#19516) (#19665) (@gcp-cherry-pick-bot[bot])Full Changelog: argoproj/argo-cd@v2.12.2...v2.12.3
v2.12.2Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Bug fixes
b068220: fix(appset): informer is not a kubernetes informer (#18905) (#19618) (#19636) (@gcp-cherry-pick-bot[bot])7244c2d: fix(appset): remove cache references (#19652) (@rumstead)c873d5c: fix: Floating title content incorrect for multi-sources (#17274) (#19623) (#19627) (@gcp-cherry-pick-bot[bot])88f85da: fix: Parse hostname correctly from repoURL to fetch correct CA cert (#19488) (#19602) (@gcp-cherry-pick-bot[bot])Full Changelog: argoproj/argo-cd@v2.12.1...v2.12.2
v2.12.1Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Bug fixes
952838c: fix(appset): cherry-pick - fix appset-in-any-namespace issue with git generators (#19558) (@ishitasequeira)b156b61: fix(appset): missing permissions for cluster install (#19059) (#19430) (#19435) (@gcp-cherry-pick-bot[bot])7af4526: fix: appset gpg limitation for templated project fields (#19492) (#19534) (@gcp-cherry-pick-bot[bot])fd47845: fix: docs version regex changed (#18756) (#19352) (@ft-jasong)Full Changelog: argoproj/argo-cd@v2.12.0...v2.12.1
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.